Comment by v3xro 2 days ago
Just to note here - with Mullvad you can pay via gift card that you can find at various retailers (to get a one-time code that you can use to create an account). Of course they can see your IP address but there is no payment/contact information on the system.
Hey Carl, sorry to hijack the thread but I have a question for you. Being the operator a small website (5M views/month, 200k users), I am often plagued by targeted cyber attacks. Over the years many of these come from privacy enhanced networks (eg Tor, Mullvad, etc). I have approached Mullvad many times with abusive user reports which they seem to simply ignore. How do you plan to address this in your product? Will you simply allow bad actors to abuse the internet via your service? Or do you have some plans to address this issue?
I am not asking them to. I am asking them to do a better job of bad actor detection and banning. Their current stance seems to be “ignore all packets, log nothing”. In my opinion they should be doing some amount of AI based abuse detection. This should be possible without violating user privacy.
> I have approached Mullvad many times with abusive user reports which they seem to simply ignore.
What would you like them to do? Considering that AIUI they outright don't log or monitor users at all, I can't think of anything they could do with your reports.
Yes that is the crux of the issue. However many times when I reported bad actors to Mullvad the attacks were multi day attacks that were ongoing. It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account. However I believe even this approach is far to manual and invasive. I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
The issue is that VPN providers have zero motivation to do this, because a non-zero percentage of their user base is literally paying them BECAUSE they can use the service to attack other servers with a level of anonymity. If the VPN providers were to combat this issue it would negatively impact their revenue.
I can understand that concern, and I think in the future some version of [Privacy Pass](https://privacypass.github.io/) will allow for site operators to differentiate between normal vs. abusive users without relying on IP reputation (which is more unreliable anyway since CGNAT is a thing).
We typically don't ban IPs for the very reason mentioned here (CGNAT is a very real thing and we have many users who share IPs). However we do ban IP ranges associated with VPNs that we see an excessive amount of abuse from. I might be an outlier on the internet, but if you take the stance you have outlined above, that you will effectively do nothing to combat the level of abuse from your network, you inevitably hurt your honest users because some web services will be unavailable to them via your VPN.
You can also mail them an envelope full of cash last I checked.
(Carl from Obscura here)
Totally! Mullvad is _the_ pioneer in this space, and we look up to them. This is why they were our top pick for being an exit hop provider!